Advances in communications technology and the availability of powerful desktop computer hardware has increased the use of computers to access a variety of publicly available computer networks. Today, a tremendous amount of information is exchanged between individual users located around the world via public computer networks. One class of users includes private individuals and professional users interconnected via a private network, such as, for example, a corporate Internet. In addition, the Internet, an expansive international public network of computer networks, is fast becoming an important source of information, electronic communications and electronic commerce for personal computer users in homes and businesses around the world. For example, a significant amount of information is available on a network called the World Wide Web (WWW) or the “Web”, which is a graphical sub-network of the Internet. Essentially, the WWW is a collection of formatted hypertext pages located in numerous computers around the world that are logically connected by the Internet. Information (i.e., content) available on the Web is displayed in the form of so-called “web pages” which are accessed by user interface programs called “web browsers”.
The increased exchange of information between private and public computer networks has presented a variety of critical security issues for the protection of information on private computer networks and the overall functionality of the private computer network itself. Computer network security, at a minimum, is directed to ensuring the reliable operation of computing and networking resources, and protecting information within the network from unauthorized disclosure or access. Various security threats exist which pose increasingly difficult challenges to such network security. In particular, some of the most sophisticated types of security threats are posed by programs which exploit certain vulnerabilities within network computing systems. Such well-known software program threats either work independently (e.g., worms) to achieve their desired security breach, or require the invocation of a host program to be invoked to perform the desired disruptive actions (e.g., trapdoors, logic bombs, Trojan horses or viruses.) Indeed, there are numerous well publicized accounts of such programs being used to improperly breach the security of private computer networks and cause severe damage. Such damage has included the destruction of electronic files, alteration of databases, or the disabling of the computer network itself or computer hardware connected to the affected network.
Network administrators responsible for the operation of private computer networks employ a variety of security measures to protect the network from external security breaches such as the introduction of computer viruses. One technique uses so-called firewalls. This security scheme essentially places a separate computer system (i.e., the firewall) between the private network (e.g., a corporate Internet) and the public network (e.g., the Internet). These firewalls are software-based gateways that are typically installed to protect computers on a local area network (“LAN”) from attacks by outsiders (i.e., unauthorized users). The firewall maintains control over communications from and to the private network. Essentially, the firewall imposes certain security measures on all users employing the private network. For example firewalls may block access to new Internet services or to sites on the WWW because the security consequences are unknown or not accounted for by the present firewall configuration. One potential installation configuration of a firewall is that WWW clients are prevented from contacting WWW servers directly. Typically, this proves too restrictive, and network administrators employ so-called “proxy servers”. Proxy servers are designed with certain features which provide for the forwarding of requests from WWW clients through the firewall thereby providing communication flow to and from servers on the Internet.
However, network security problems are further exacerbated by the relative ease at which new host machines or new communications links can be added to access the Internet. In particular, in the context of intranets such additional new host machines and/or links can be added without consultation with the network administrator or compliance with the communications security measures on the particular Internet. As will be easily appreciated, such Internet security risks are especially catastrophic in the context of corporate intranets, which have become integral in the computing fabric of most major corporations. As such, host machines or communications channels added to the Internet that are unregistered or unrecognizable by the security shield of the network represent tremendous opportunities for so-called “attacks” by external, unauthorized parties, such as so-called “hackers”. Further, there exist numerous well publicized accounts of attacks launched by hackers who have improperly breached the security of private computer networks over the Internet and caused severe damage.
For example, prevention of so-called “denial of service” (“DoS”) attacks is becoming increasingly important as the use of the Internet becomes pervasive and this expansive network is strategically situated in the critical path of many commercial applications such as, for example, electronic commerce. As will be appreciated, DoS attacks are different than the security risks associated with some of the attacks discussed above (e.g. viruses), in that DoS attacks are not primarily designed to damage computer files or misappropriate an innocent party's information. Rather, DoS attacks are primarily launched to disable a particular Internet site from operating.
Essentially, DoS attacks take advantage of the inherent communications design of the Internet, and in particular, the feature that messages exchanged across the Internet are presumed valid and originating from valid sources. As such, attackers launching the DoS attack use this principle to their advantage to inundate a particular Internet site with messages, thereby overloading the site's ability to respond and disabling the site from operating. DoS attacks are characterized by a flood of packets with random. apparently valid, return addresses. However, such addresses are in fact fictitious and are generally created by a malicious program executing on an unknown host computer, and are carried by packets that have no information with respect to the actual identity of the originating host.
There are at least two well-known targets of DoS attacks, namely machine attacks and network attacks. For example, a so-called “SYN” attack (see, e.g., CERT. “TCP SYN Flooding and IP Spoofing Attacks”. CERT Advisory CA 96.21, September, 1996) is a well-known type of attack against an individual machine. In such a DoS attack, a series of so-called TCP SYN packets are transmitted to a particular machine thereby causing the machine to create a larger series of half open TCP connections. Thereafter, when another computer (e.g., a client) desires to connect to the particular machine, the machine cannot locate an open slot in its table for clients due to the DoS attack. As such, the desired connection is denied by the machine. A significant problem of this type of DoS attack from a security perspective is that the clients and the attackers are basically indistinguishable. Although one possible defense for such SYN attacks in particular is described in the above-cited CERT Advisory, some machines may be more difficult to defend against such attacks.
The second known DoS attack is directed at an entire network and poses, from a security perspective, a much larger problem. In such network attacks, the objective is to overload the connection between a particular network (e.g., a corporate network) and its Internet Service Provider (ISP) with a large volume of communications traffic. More specifically, an attacker causes a large stream of data to be directed to the corporate network which causes the communications connection (i.e., the pipeline) from the company's ISP to the company to become severely congested. This congestion, in turn, results in a loss of packets being transmitted to the corporate network. In particular, in as much as the routers along the communications path to the corporate network cannot distinguish between the attacking packets and valid client packets, the routers drop packets of each type with equal probability. As such, if an attacker can transmit packets at a very rapid rate, the packet drop rate will become so high that an insufficient number of the client's packets are actually received. Thus, the corporate network does not receive adequate service, if any, from the loaded link subject to the attack. One well-known attack of this type is the so-called “smurf” attack detailed in CERT, “smurf IP Denial-of-Service Attacks”, CERT Advisory CA 98.01, January, 1998.
One major obstacle to the prevention of such DoS attacks is that it is extremely difficult to determine the actual source of the attack. The attackers have the distinct advantage of being able to place almost any type of packet on the local communications connection whose source IP address is invalid and completely random. Thus, as detailed above, the victim of the attack is unable to determine the source and thereby correct the situation. To combat such network security risks from DoS attacks, network administrators typically attempt to trace the “malicious” packets back to their source. However, such tracing is often a massive, tedious and computationally intensive exercise given the size and breadth of the Internet. Typically, current approaches to such tracing (referred to in the art as “hop-by-hop” tracing) requires tedious continued attention and cooperation by third parties—e.g., by each intervening Internet Service Provider (ISP)—which must provide technical assistance and access to their networks in order to complete the desired trace. Gaining such access and cooperation from such ISPs is a major impediment in achieving a complete and accurate tracing of the source of the malicious packets, especially since the victim of the attack is unlikely to be a customer of all of the ISPs between itself and the attacker.
A need exists therefore for improving the traceability of packets in larger communications networks to identify their source, and in particular, for a method of tracing such packets which does not rely on knowledge or cooperation from intervening ISPs along the path.